Europol Declares War on Ransomware

Europol has declared war on ransomware with the launch today of its ‘no more ransom’ initiative. Built around a new online portal (www.nomoreransom.org) and supported by the Dutch National Police, Kaspersky Lab and Intel Security (McAfee), the purpose is to help protect users from ransomware, to help infected victims recover their data, and to gather information for law enforcement agencies.

Europol stresses that prevention is better — and more effective — than cure. The number of victims is growing dramatically, while the number of decryption tools remains low. Kaspersky says the number of users attacked by crypto-ransomware rose by 5.5 times, from 131,000 in 2014-2015 to 718,000 in 2015-2016. The portal currently contains four decryption tools for different malware versions.

All of these decryption tools were developed by the existing project members. The latest is for Shade. Shade actually warns its victims that attempts at decryption by themselves will result in permanent loss of their data. Sean Sullivan at F-Secure told SecurityWeek that he believes the warning to be more to prevent self-decryption attempts than to be a serious issue. Nevertheless, it is a valid warning. If anything goes wrong with the progress of decryption it would change the files sufficiently for the genuine keys to become unworkable.

For this reason, Kaspersky Lab told SecurityWeek, “We also recommend [you] make backups of the encrypted files before you start decrypting them, so that in the unlikely case that something goes wrong, you still have your original encrypted files.”

“Awareness is key as there are no decryption tools for all existing types of malware available to this day,” warns Europol. “If you are infected, the chances are high that the data will be lost forever. Exercising a conscious internet use following a set of simple cyber security tips can help avoid the infection in the first place.” All of this advice can be found on the new site.

The initiative is described as public-private cooperation — which is increasingly viewed as the most effective way forward in the fight against cyber crime. “This is a joint responsibility of the police, the justice department, Europol, and ICT companies, and requires a joint effort,” explained Wilbert Paulissen, Director of the National Criminal Investigation Division at the Dutch National Police. “This is why I am very happy about the police’s collaboration with Intel Security and Kaspersky Lab. Together we will do everything in our power to disturb criminals’ money making schemes and return files to their rightful owners without the latter having to pay loads of money.”

The Dutch police have a reputation for being proactive against cyber crime. In 2010, working with FoxIT and the ISP LeaseWeb, they took over Bredolab servers and caused them to download a police warning message to infected users.

Raj Samani, EMEA CTO for Intel Security, commented, “This collaboration goes beyond intelligence sharing, consumer education, and takedowns to actually help repair the damage inflicted upon victims. By restoring access to their systems, we empower users by showing them they can take action and avoid rewarding criminals with a ransom payment.”

All parties hope that this is the start of a much wider public-private collaboration. “It is an open, non-commercial project,” Europol told SecurityWeek. “We do expect other IT security companies and other law enforcement agencies to join in the future. The more forces join to fight ransomware, the better.”

David Harley, ESET Senior Research Fellow, thinks this is likely. “I’m sure other mainstream companies would get involved if invited,” he told SecurityWeek. “We regularly work with law enforcement and other state agencies in a wide variety of contexts.”

The site itself is maintained jointly by the existing project partners, although it is not clear whether this will extend to all participating partners if the project expands in the future. It contains advice on how to avoid infection, and offers the opportunity — in some cases — for victims to retrieve their data through decryption.

Its advice to victims who cannot recover their files is simple: don’t pay. SecurityWeek asked Europol if this advice applied equally to consumer and corporate victims. “We firmly believe in the Don’t Pay – advice because by paying you are supporting criminal activity. Once infected, you should report the issue to your competent law enforcement organization. Also, corporate victims should take preventive measures to ensure that they will not become the victim of ransomware (back-ups, etc).” Kaspersky Lab added, “All in all, you need to remember that paying ransomware to criminals doesn’t guarantee you will receive a decryption key.”

The reality, however, is that while this advice might be reasonable for consumer victims, corporate victims of ransomware invariably will — and indeed should — take a individual risk-based approach on whether to pay.